FortiOS™ Handbook - PCI DSS Compliance VERSION 5.4.0
FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ FORTIGATE COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING SERVICES http://www.fortinet.com/training FORTIGUARD CENTER http://www.fortiguard.com END USER LICENSE AGREEMENT http://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: [email protected]
February-03-16 FortiOS™ Handbook - PCI DSS Compliance 01-540-129720-20160203
TABLE OF CONTENTS Change Log Introduction
5 6
Before you begin How this guide is organized FortiOS 5.4 compliance and certification new features Vulnerability Scanning has been removed (293156) PCI DSS Compliance Check Support (270014)
6 6 6 6 6
Configuring FortiGate units for PCI DSS compliance
8
Introduction to PCI DSS What is PCI DSS? What is the Cardholder Data Environment PCI DSS objectives and requirements Wireless guidelines Running PCI DSS compliance checks Configuring PCI DSS compliance checking Per-VDOM compliance checking Compliance checking diagnose command Network topology Internet The CDE wired LAN The CDE wireless LAN Other internal networks Security policies for the CDE network Controlling the source and destination of traffic Controlling the types of traffic in the CDE The default deny policy Wireless network security On-wire detection of rogue APs Setting up rogue access point scanning Securing a CDE network wireless access point Protecting stored cardholder data Protecting communicated cardholder data Configuring IPsec VPN security Configuring SSL VPN security
8 8 8 8 10 10 11 11 12 12 13 13 14 14 14 14 15 15 15 15 15 16 17 17 17 18
Protecting the CDE network from viruses Enabling FortiGate antivirus protection Configuring antivirus updates Enforcing firewall use on endpoint PCs Monitoring the network for vulnerabilities FortiGate logs Monitoring with other Fortinet products Restricting access to cardholder data Controlling access to the CDE network Password complexity and change requirements Password non-reuse requirement Administrator lockout requirement Administrator timeout requirement Administrator access security Remote access security
18 18 19 19 19 19 19 20 20 20 21 21 22 22 22
Change Log Date
Change Description
February 3, 2016
Initial Release
Introduction
Before you begin
Introduction This document describes how FortiOS is compliant with Payment Card Industry Data Security Standard (PCI DSS).
Before you begin Before you begin using this guide, please ensure that: l
You have administrative access to the web-based manager and/or CLI.
l
The FortiGate unit is integrated into your network.
l
The operation mode has been configured.
l
The system time, DNS settings, administrator password, and network interfaces have been configured.
l
Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed.
l
FortiGuard Analysis & Management Service is properly configured.
While using the instructions in this guide, note that administrators are assumed to be super_admin administrators unless otherwise specified. Some restrictions will apply to other administrators.
How this guide is organized This FortiOS Handbook chapter contains the following sections: Configuring FortiGate units for PCI DSS compliance on page 8 explains the Payment Card Industry Data Security Standard (PCI DSS). It provides information about configuring your network and FortiGate unit to help you comply with PCI DSS requirements.
FortiOS 5.4 compliance and certification new features Vulnerability Scanning has been removed (293156) Vulnerability scanning can now be done from FortiClient.
PCI DSS Compliance Check Support (270014) FortiOS 5.4 allows you to run a compliance check either on demand or according to a schedule that automatically checks PCI DSS compliance at the global or VDOM level. The compliance check determines whether the FortiGate is compliant with each PCI DSS requirement by displaying an 'X' next to the non-compliant entries in the GUI logs. Go to System > Advanced > Compliance, turn on compliance checking and configure a daily time to run the compliance check. Or you can select Run Now to run the compliance check on demand.
PCI DSS Compliance for FortiOS 5.4 Fortinet Technologies Inc.
6
FortiOS 5.4 compliance and certification new features
Introduction
Go to Log & Report > Compliance Events to view compliance checking log messages that show the results of running compliance checks.
7
PCI DSS Compliance for FortiOS 5.4 Fortinet Technologies Inc.
Configuring FortiGate units for PCI DSS compliance
Introduction to PCI DSS
Configuring FortiGate units for PCI DSS compliance This chapter provides information about configuring your network and FortiGate unit to help you comply with PCI DSS requirements. There is also some description of other Fortinet products that can help you with PCI DSS compliance.
Introduction to PCI DSS The primary source of information for your PCI DSS compliance program is the Payment Card Industry (PCI) Data Security Standard itself. Version 3.1 of the standard was published in April 2015. The following is a brief summary of PCI DSS.
What is PCI DSS? The Payment Card Industry Data Security Standard (PCI DSS) sets data handling requirements for organizations that hold, process, or exchange cardholder information.
What is the Cardholder Data Environment Throughout the PCI DSS requirements, there are references to the Cardholder Data Environment (CDE). The CDE is the computer environment wherein cardholder data is transferred, processed, or stored, and any networks or devices directly connected to that environment.
PCI DSS objectives and requirements PCI DSS consists of 7 control objectives and 12 requirements.
PCI DSS Control Objectives and Requirements Control Objective
Requirement
Fortinet Solution
Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data
FortiGate firewall functionality. See Security policies for the CDE network on page 14
2. Do not use vendor - supplied defaults for system passwords and other security parameters
FortiDB vulnerability assessment and auditing FortiWeb web application password checking See Password complexity and change requirements on page 20
PCI DSS Compliance for FortiOS 5.4 Fortinet Technologies Inc.
8
Introduction to PCI DSS
Configuring FortiGate units for PCI DSS compliance
Control Objective
Requirement
Fortinet Solution
Protect Cardholder Data
3. Protect stored cardholder data
FortiDB vulnerability assessment and monitoring FortiWeb web application firewall See Protecting stored cardholder data on page 17
Maintain a Vulnerability Management Program
4. Encrypt transmission of cardholder data across open, public networks
FortiGate IPsec VPN. See Protecting communicated cardholder data on page 17
5. Protect all systems against malware and regularly update antivirus software or programs
FortiGate integrated AV FortiClient integrated AV FortiMobile integrated AV FortiMail integrated AV FortiGuard automated AV updates See Protecting the CDE network from viruses on page 18
6. Develop and maintain secure systems and applications
FortiDB vulnerability assessment, auditing and monitoring FortiWeb web application security FortiGate Application Control
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
FortiDB vulnerability assessment, auditing and monitoring. See Restricting access to cardholder data on page 20
9
8. Identify and authenticate access to system components
FortiGate integrated database or hooks to Active Directory. See Controlling access to the CDE network on page 20
9. Restrict physical access to cardholder data
Fortinet professional services in partnership with partner solutions
PCI DSS Compliance for FortiOS 5.4 Fortinet Technologies Inc.
Configuring FortiGate units for PCI DSS compliance
Running PCI DSS compliance checks
Control Objective
Requirement
Fortinet Solution
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
FortiDB auditing and monitoring FortiAnalyzer event reporting See Monitoring the network for vulnerabilities.
11. Regularly test security systems and processes
FortiDB vulnerability assessment See Monitoring the network for vulnerabilities.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
FortiManager security policy management appliance
This chapter describes how the FortiGate’s features can help your organization to be compliant with PCI DSS. Requirements that the FortiGate cannot enforce need to be met through organization policies with some means determined for auditing compliance. Be sure to read the following wireless guidelines. Even if your organization does not use wireless networking, PCI DSS requires you to verify periodically that wireless networking has not been introduced into the CDE.
Wireless guidelines While wired networks usually connect fixed known workstations, wireless networks are more dynamic, introducing a different set of security concerns. Even if your organization does not use wireless networking, PCI DSS requires you to verify periodically that unauthorized wireless networking has not been introduced into the CDE. Wireless networking could be introduced quite casually by adding a wireless device to a PC on the CDE network. For all PCI DSS networks, whether they use wireless technology or not, the following requirement applies: l
Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use. (11.1)
If your organization uses wireless networking outside the CDE network and the firewall prevents communication with the CDE network, the wireless network is outside the PCI DSS scope, but the firewall configuration must meet PCI DSS requirements. If your organization uses wireless networking inside the CDE network, the wireless network is within the PCI DSS scope. For information about wireless network requirements, see Wireless network security on page 15.
Running PCI DSS compliance checks FortiOS 5.4 allows you to run a compliance check either on demand or according to a schedule that automatically checks PCI DSS compliance at the global and/or VDOM level. The compliance check determines whether the
PCI DSS Compliance for FortiOS 5.4 Fortinet Technologies Inc.
10
Running PCI DSS compliance checks
Configuring FortiGate units for PCI DSS compliance
FortiGate is compliant with each PCI DSS requirement by displaying an 'X' next to the non-compliant entries in the GUI logs. The FortiGate runs at least 50 compliance checks that report on the status of a number of things including: l
Checking that out of stet ICMP packets are dropped
l
The TCP end timeout is set
l
SSH and SSL deep inspection with web filtering drops traffic from servers with invalid server certificates
l
Verifying that IPS signatures, Application Control signatures, and Antivirus signatures are up to date
l
Determining if Spyware/Malicious sites are being blocked by a web filtering policy
l
Verifying that administrators are locked out after 3 login failures
For a complete list of compliance checks go to Log & Report > Compliance Events.
Configuring PCI DSS compliance checking Go to System > Advanced > Compliance, turn on compliance checking and configure a daily time to run the compliance check. Or you can select Run Now to run the compliance check on demand.
Go to Log & Report > Compliance Events to view compliance checking log messages that show the results of running compliance checks.
You can also configure compliance checking and set up the schedule from the CLI: config system global set compliance-check {disable| enable} set compliance-check-time